I don't know if this is the infamous Author vulnerability or not (I'm using MT 2.63), but something is seriously wrong on my MT setup. Maybe this has been mentioned here before - if that's the case just feed me a pointer....
It's this:
1. as admin of my MT blog I set up weblog 2 with a new user
2. I give the new user the ability to Add/Edit Weblog authors.
3. the new user should have the ability to add/edit authors associated with weblog 2
4. new user logs in
5. new user edits authors
6. new user gets a list of authors, including the admin
7. new user can assign general permissions for admin
8. new user assigns zero general permissions for admin
8. new user can assign permissions for all weblogs of admin
9. new user assigns zero permissions for all weblogs of admin
10. new user saves new permissions and logs out
11. admin logs in
12. admin lost access to all weblogs
13. new user has effectively taken over weblog
I did just that, and lost access to my own weblog. I can no longer post to or manage my own weblog.
Anybody care to shed a light on this?
Full Version: Big Author Bug?
Were you an author in Weblog 2?
I just tested this with two dummy authors.
Dummy1 had post permissions in Weblog1 and Weblog2, and edit authors permissions in Weblog1.
Dummy2 only had post permissions in Weblog2.
Dummy1 was not able to edit the Weblog2 permissions of Dummy2 because Dummy1 did not have edit authors permissions in Weblog2.
So, it looks to me like it's working as I'd expect it to.
Note that there is no such thing as an "admin" as far as MT is concerned. If you give an author the ability to Edit Authors of a blog, and you are also one of the authors of that blog, then the new author can remove your permissions from that particular blog - but not remove you from all blogs in the system. These other blogs don't appear in the edit author screen unless the user has been given edit author permissions in them as well.
If you're saying you were not an author in Weblog2 and/or the new author was able to gain access to all of your blog permissions, then yes, that would seem to be a bug. But I haven't been able to replicate that behavior at all.
Dummy1 had post permissions in Weblog1 and Weblog2, and edit authors permissions in Weblog1.
Dummy2 only had post permissions in Weblog2.
Dummy1 was not able to edit the Weblog2 permissions of Dummy2 because Dummy1 did not have edit authors permissions in Weblog2.
So, it looks to me like it's working as I'd expect it to.
Note that there is no such thing as an "admin" as far as MT is concerned. If you give an author the ability to Edit Authors of a blog, and you are also one of the authors of that blog, then the new author can remove your permissions from that particular blog - but not remove you from all blogs in the system. These other blogs don't appear in the edit author screen unless the user has been given edit author permissions in them as well.
If you're saying you were not an author in Weblog2 and/or the new author was able to gain access to all of your blog permissions, then yes, that would seem to be a bug. But I haven't been able to replicate that behavior at all.
part 1:
It's the edit author permissions that count. Dummy 1 can post in and edit author permissions of Weblog 1 and Weblog 2. Dummy 2 can post and edit author permissions in Weblog 2 only. So Dummy 1 shows up as a poster in Weblog 2 when Dummy 2 edits the author permissions in Weblog 2. That's ok. Dummy 2 can edit author permissions of Dummy 1 on Weblog 2. That's ok too. But what's not ok is that Dummy 2 can control the author permissions of Dummy 1 on Weblog 1 as well. And that's what happened.
part 2:
At least I thought that was what happened. Now I'm not too sure. I started all over again, created lots of Dummy users and Dummy blogs and the results of my own tests proved me wrong. So it looks if I messed things up myself. I'll continue to experiment a little bit longer though. And I'll post again if anything irregular shows up again. Anyway thanks for your input (again)
It's the edit author permissions that count. Dummy 1 can post in and edit author permissions of Weblog 1 and Weblog 2. Dummy 2 can post and edit author permissions in Weblog 2 only. So Dummy 1 shows up as a poster in Weblog 2 when Dummy 2 edits the author permissions in Weblog 2. That's ok. Dummy 2 can edit author permissions of Dummy 1 on Weblog 2. That's ok too. But what's not ok is that Dummy 2 can control the author permissions of Dummy 1 on Weblog 1 as well. And that's what happened.
part 2:
At least I thought that was what happened. Now I'm not too sure. I started all over again, created lots of Dummy users and Dummy blogs and the results of my own tests proved me wrong. So it looks if I messed things up myself. I'll continue to experiment a little bit longer though. And I'll post again if anything irregular shows up again. Anyway thanks for your input (again)
I've found a similar problem that I feel is an extreme bug.
I've created a test blog, called, creativly enough, "Test log".
I created a new user, "test", and gave that user all permissions on "Test log" except "Configure Weblog".
I then log in as user "test" and create a new user, "testing". User test is able to give user testing ALL permissions on "Test log", including permissions user test does not have!
I confirmed this by logging in as user testing. Sure enough, testing now has access to "Configure Weblog".
Placing any restrictions on a user is completely meaningless if that user has the "Add/Edit authors" permission, as they can simply create a new author that is not restricted.
Even better: I just discovered a restricted user doesn't even have to create a new user to bypass their restrictions. Any user who has "Add/Edit author" permission can simply edit themselves to give themselves any permission they want.
The ONLY thing they can't do is edit permissions on blogs they don't have the "Add/Edit Author" permission. They CAN however create new blogs, and enter file system paths for the new blog that would overwrite an existing blog. Since I use MySQL, all it would take would be a user with rebuild permission on the overwritten blog to log in and rebuild to get that blog back, but there'd be no way to prevent it from happening again.
I've created a test blog, called, creativly enough, "Test log".
I created a new user, "test", and gave that user all permissions on "Test log" except "Configure Weblog".
I then log in as user "test" and create a new user, "testing". User test is able to give user testing ALL permissions on "Test log", including permissions user test does not have!
I confirmed this by logging in as user testing. Sure enough, testing now has access to "Configure Weblog".
Placing any restrictions on a user is completely meaningless if that user has the "Add/Edit authors" permission, as they can simply create a new author that is not restricted.
Even better: I just discovered a restricted user doesn't even have to create a new user to bypass their restrictions. Any user who has "Add/Edit author" permission can simply edit themselves to give themselves any permission they want.
The ONLY thing they can't do is edit permissions on blogs they don't have the "Add/Edit Author" permission. They CAN however create new blogs, and enter file system paths for the new blog that would overwrite an existing blog. Since I use MySQL, all it would take would be a user with rebuild permission on the overwritten blog to log in and rebuild to get that blog back, but there'd be no way to prevent it from happening again.
As mentioned above, giving an author Add/Edit Author permissions is the highest level of authority you can give to an author. There is currently no administrative level of authors in MT.
Simply stated, don't give those permissions to someone you don't trust.
It's not a bug if you say an author can add or edit permissions and then they can do exactly that, even if you don't want them to do it. That's what giving those permissions means.
Simply stated, don't give those permissions to someone you don't trust.
It's not a bug if you say an author can add or edit permissions and then they can do exactly that, even if you don't want them to do it. That's what giving those permissions means.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.